Unauthorised access attempts detected on Singapore’s HealthHub portal

HealthHub, a one-stop portal and mobile application for Singaporeans to access a wide range of health content, rewards and e-services, which was launched in 2015, had experienced a series of unauthorised log-ins, according to the Health Promotion Board’s (HPB) recent statement. The portal is an initiative by the Ministry of Health, and Health Promotion Board, supported by Integrated Health Information Systems (IHiS), the national technology agency for healthcare in Singapore.

HPB and IHiS had detected the unauthorised log-ins during investigations into unusual activities on the portal. The agencies had found “higher than usual attempted log-ins” to the HealthHub portal on four days – Sept 28, Oct 3, Oct 8 and Oct 9 – using more than 27,000 unique IDs or email addresses.

Although 98 per cent of the email addresses used were not related to existing HealthHub accounts and the log-in attempts were unsuccessful, 72 accounts were successfully logged in during those time periods. These accounts were subsequently locked and HPB had contacted the account holders to inform them of the suspicious activity, and to check if they had made the attempts themselves.

HPB was first alerted when a user suspected her email account had been used without her permission to log in to the portal, and informed HPB. The agency also added that no evidence of a breach in the HealthHub system has been found.

Healthcare cybersecurity in Singapore has been in the limelight since the SingHealth cyberattack, which occurred in June 2018. Described as one of the worst cyberattacks in the country, the incident saw the personal information of 1.5 million SingHealth patients being stolen by sophisticated hackers over the period between June 27 and July 4. Singapore Health Services or SingHealth is Singapore’s largest group of healthcare institutions, which consists of 4 public hospitals island wide, 5 national specialty centres and a network of 9 polyclinics.

An ongoing Committee of Inquiry (COI) for the SingHealth cyberattack which was convened on July 24, held a series of public and private court hearings since last month and is expected to submit a report of its findings by the end of 2018.